some more csrf fixes

1 files changed, 7 insertions, 7 deletions

diff --git a/index.php b/index.php
index b4cac1879c6..9fff459807e 100644
--- a/index.php
+++ b/index.php
@@ -59,10 +59,9 @@ elseif(OC_User::isLoggedIn()) {
 	else {
 		OC_Util::redirectToDefaultPage();
 	}
-}
 
 // For all others cases, we display the guest page :
-else {
+} else {
 	OC_App::loadApps();
 	$error = false;
 
@@ -80,10 +79,9 @@ else {
 		else {
 			OC_User::unsetMagicInCookie();
 		}
-	}
 
 	// Someone wants to log in :
-	elseif(isset($_POST["user"]) && isset($_POST['password'])) {
+	} elseif(isset($_POST["user"]) and isset($_POST['password']) and isset($_SESSION['sectoken']) and isset($_POST['sectoken']) and ($_SESSION['sectoken']==$_POST['sectoken']) ) {
 		if(OC_User::login($_POST["user"], $_POST["password"])) {
 			if(!empty($_POST["remember_login"])){
 				if(defined("DEBUG") && DEBUG) {
@@ -100,9 +98,9 @@ else {
 		} else {
 			$error = true;
 		}
-	}
+	
 	// The user is already authenticated using Apaches AuthType Basic... very usable in combination with LDAP
-	elseif(isset($_SERVER["PHP_AUTH_USER"]) && isset($_SERVER["PHP_AUTH_PW"])){
+	} elseif(isset($_SERVER["PHP_AUTH_USER"]) && isset($_SERVER["PHP_AUTH_PW"])){
 		if (OC_User::login($_SERVER["PHP_AUTH_USER"],$_SERVER["PHP_AUTH_PW"]))	{
 			//OC_Log::write('core',"Logged in with HTTP Authentication",OC_Log::DEBUG);
 			OC_User::unsetMagicInCookie();
@@ -111,5 +109,7 @@ else {
 			$error = true;
 		}
 	}
-	OC_Template::printGuestPage('', 'login', array('error' => $error, 'redirect' => isset($_REQUEST['redirect_url'])?$_REQUEST['redirect_url']:'' ));
+	$sectoken=rand(1000000,9999999);
+	$_SESSION['sectoken']=$sectoken;
+	OC_Template::printGuestPage('', 'login', array('error' => $error, 'sectoken' => $sectoken, 'redirect' => isset($_REQUEST['redirect_url'])?$_REQUEST['redirect_url']:'' ));
 }